Handle user input without error

[JeffAbrahamson]

Seen on prod:

[28/Nov/2022 14:52:08,666] ERROR[log.py:241 (log_response)] Internal Server Error: /tb/p/suite-president-republique-rer-dans-dix-villes/&data=05|01|Magazine44@loire-atlantique.fr|a533c2de6dec4fc952e808dad1501b18\
|beecb8f7d08247d6bcd90516d6628b41|0|0|638052439229581676|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000|||&sdata=pnSFPZfvqCsxyHKa4I3kiD8TbpBj1FMqXUfy6dWxfUQ=&reserved=0
Traceback (most recent call last):
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 89, in _execute
    return self.cursor.execute(sql, params)
psycopg2.errors.StringDataRightTruncation: value too long for type character varying(300)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/var/www/tn-prod2/transport_nantes/utm/middleware/utm.py", line 67, in __call__
    utm.save()
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/models/base.py", line 812, in save
    self.save_base(
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/models/base.py", line 863, in save_base
    updated = self._save_table(
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/models/base.py", line 1006, in _save_table
    results = self._do_insert(
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/models/base.py", line 1047, in _do_insert
    return manager._insert(
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method
    return getattr(self.get_queryset(), name)(*args, **kwargs)
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/models/query.py", line 1790, in _insert
    return query.get_compiler(using=using).execute_sql(returning_fields)
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1660, in execute_sql
    cursor.execute(sql, params)
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 67, in execute
    return self._execute_with_wrappers(
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 80, in _execute_with_wrappers
    return executor(sql, params, many, context)
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 89, in _execute
    return self.cursor.execute(sql, params)
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/utils.py", line 91, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "/var/www/tn-prod2/venv/lib/python3.8/site-packages/django/db/backends/utils.py", line 89, in _execute
    return self.cursor.execute(sql, params)
django.db.utils.DataError: value too long for type character varying(300)

[Shriukan33]

It's no user input, it's UTM model that has a 300 VARCHAR limit in database on the base_url field.

Your "input" is the base url, which is equal to request.path : /tb/p/suite-president-republique-rer-dans-dix-villes/&data=05|01|Magazine44@loire-atlantique.fr|a533c2de6dec4fc952e808dad1501b18\ |beecb8f7d08247d6bcd90516d6628b41|0|0|638052439229581676|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000|||&sdata=pnSFPZfvqCsxyHKa4I3kiD8TbpBj1FMqXUfy6dWxfUQ=&reserved=0 But is 340 long.

I don't remember building paths like this, could it be a bot ?

[JeffAbrahamson]

It could be a bot, or it could be something else.

Our URL is /tb/p/suite-president-republique-rer-dans-dix-villes/. The rest, &data=05|01|Magazine44@loire-atlantique.fr|a533c2de6dec4fc952e808dad1501b18\ |beecb8f7d08247d6bcd90516d6628b41|0|0|638052439229581676|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=|1000|||&sdata=pnSFPZfvqCsxyHKa4I3kiD8TbpBj1FMqXUfy6dWxfUQ=&reserved=0, was not provided by us and is very much user input. And we don't handle it because we don't parse the URL correctly to notice that a '&' sits in the middle, which isn't well-formed but that's not an excuse.

xkcd

[JeffAbrahamson]

Priority 0, 12d old. Status?